Project

General

Profile

Actions
Copy link

Bug #1587

closed

[security] when mod_userdir is loaded but not configured, the server's whole disk becomes remotely readable

Added by Anonymous about 17 years ago. Updated about 17 years ago.

Status:
Fixed
Priority:
High
Category:
mod_userdir
Target version:
1.5.0
ASK QUESTIONS IN Forums:

Description

I've just discovered that you could download my /etc/passwd file by simply pointing your browser to http://myserver/tld/~nobody/etc/passwd (thanks to Nessus).

After some research, I've found th culprit to be mod_userdir, which I had left there while I had removed all its configuration variables from my conf.

Loading this module with its default values should not compromise the server security.
IMHO, the default value for userdir.path should not be "." unless the webmaster sets so, but the standard "public_html".

-- julien.cayzac

Added by stbuehler about 17 years ago

Revision ec5c74ad (diff)

workaround #1587: require userdir.path to be set to enable mod_userdir (empty string allowed)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2120 152afb58-edef-0310-8abb-c4023f1b3aa9

Added by stbuehler about 17 years ago

Revision 763f8840 (diff)

Update documentation for #1587

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2130 152afb58-edef-0310-8abb-c4023f1b3aa9

Actions
Copy link

Also available in: Atom